Archive for February 2011

In insurance companies, where “production” consists of risk assumption and risk accumulation, measuring a company’s risk capacity and risk capacity utilization is not as straightforward as in companies that manufacture widgets. Like industrial companies, insurance companies need to measure and manage their “production” or rather “risk” (accumulation) capacity.

The recent crisis has demonstrated that insurance companies need to measure and manage their risk capacity utilization in relation to the amount of risk capacity lest they become overextended. In insurance companies, risk capacity needs to be determined so as to satisfy:

Solvency concerns of policyholders, for which insurance strength ratings assigned by the leading independent rating agencies and A.M. Best are generally accepted as proxies. Shareholders are also interested in these ratings, which they view as indicators of companies’ ability to attract and retain customers and achieve their financial objectives.

Maintenance of regulatory Risk Based Capital (RBC) adequacy ratios sufficient to prevent regulators from intervening in company management.

Risk capacity is most commonly a measure of an insurance company’s ability to accumulate risk exposures, on a going concern basis, while meeting risk tolerance constraints of solvency-focused stakeholders (policyholders, rating agencies and regulators). Risk concerns of these stakeholders are generally expressed as confidence levels at which a company is capable of meeting particular standards of performance, (e.g. maximum probability of default, maintenance of the capital needed to support a target rating or RBC adequacy level) over a defined time horizon.

A company’s risk capacity is customarily measured by its available capital and its risk capacity utilization is measured by the amount of capital needed to meet the risk tolerance constraints of credit-sensitive stakeholders, given its present portfolio of risk exposures. In order to gain the confidence of investors and customers and to enjoy a viable future, an insurance company needs to understand how its strategic plan impacts the prospective utilization of its risk capacity, and therefore the adequacy of its capital in relation to its projected financial performance and growth aspirations.

To perform this assessment, a company needs to estimate its prospective risk capacity utilization (i.e. capital required) for executing its strategic plan. To perform this analysis, it needs to project its risk profile over a three to five years planning horizon (approximating going concern conditions), under growth assumptions embedded in its strategic plan. A properly constructed risk profile should enable a company to consider the impact of extreme conditions, often scenarios that include multiple catastrophes or financial crises, as well as the contribution of earnings retention to risk capacity. This basic strategic planning exercise, completed in a risk-aware framework will demonstrate the risk capital (and, thus, capacity utilization) required to execute the strategic plan.

Ideally, the required financial models should be capable of producing i) full distributions of financial outcomes rather than tail sections of these distributions, ii) elements of the balance sheet and P&L statements needed to calculate earnings, earnings volatility, downside risk from planned earning amounts in future periods, iii) calculations of RBC, and associated capital adequacy ratios, including A.M. Best’s capital adequacy ratio (BCAR) and iv) financial performance reports developed under multiple accounting standards, including statutory and GAAP or IFRS, or on an economic basis. These data are needed for management to explore how capital requirements and thus also risk capacity utilization respond to changes in risk strategy and business strategy.

The company’s risk profile can be derived from the aggregation of the distributions of financial results of individual lines or business segments based on the amount and volatility characteristics of exposures, limits assumed, applicable reinsurance treaties, and asset mix, over a three to five year time horizon so as to approximate going concern conditions.

The use of multi-year solvency analyses of companies’ risk profile, instead of a one year horizon required under the regulatory provisions of many jurisdictions, typically results in significantly higher estimates of risk capital requirements and risk capacity utilization than those obtained under the one year horizon. As a result, companies that rely primarily on one year solvency analyses to assess the adequacy of their capital tend to understate their capital requirements and are more likely to overextend themselves. Importantly, the underlying assumption that capital shortfalls could be covered as and when needed by raising capital from investors has been shown to be unrealistic during the recent financial crisis, highlighting what may be a fundamental flaw in the widely touted Solvency II framework.

Share this:

Like this:

Risk management has two important phases. The first phase is Between Crises (BC) and the second phase is During Crises (DC). The skills and activities needed for these two phases are totally different. This post will talk about the DC phase.

During the Crisis, the concentration of the risk manager must shift to survival. Much has been made of the famous saying from Baron Rothchild

“Buy when there’s blood in the streets, even if the blood is your own.“

But Rothchild famously made his own luck by arranging that he was the first to know the outcome of the battle of Waterloo. And when the crisis hits, that is what you will hope that you, or your predecessor did before the crisis – make some of that sort of luck.

One of the things that often happens is that the organization will seem to shift right out from under you. The norms and objectives that you thought were agreed are no longer in place. You will be judged by a set of rules that are being written right now.

An old (1938) article by Robert Merton, SOCIAL STRUCTURE AND ANOMIE, suggests that there are five ways that people can react to situations where they are unhappy with how the rules and norms are working:

Conformity

Innovation

Ritualism

Retreat

Rebellion

Conformity means that they simply continue to operate under the old rules and norms as if nothing has happened. In many cases, risk managers act as if this is the only possibility however.

Innovation means that they try to come up with a new way to solve their problem within the same structure that was in place. Innovation may or may not work and if it does not work, then one of the other responses will be next. Often the risk manager is trying to innovate the way out of the crisis.

Ritualism means that they start to go through the motions of following the old rules, even though there is a strong sense that those rules no longer work as that had been working. Things get more rigid and hierarchical. Stepping on the wrong person’s toes has become a more significant infraction than it had been.

Retreat means that the organization freezes. In some cases, it is the CEO who retreats, simply disappearing from the scene and lines of authority become blurry.

Rebellion means that the old rules and norms of the company are overthrown and new rules and norms replace the old quite rapidly. This is most often accompanied by major management personnel changes. But sometimes not.

The risk manager needs to be aware of these possibilities and make plans accordingly.

Over the years, Riskviews has seen many risk management systems that are developed by people, usually auditors, from the COSO guide to ERM. What is most commonly seen is that COSO based ERM system has a few characteristics in common:

They usually take at least a year to implement phase 1. By the end of that year, no actual improvements or changes to actual risk treatment activities take place. The most common product of that year’s efforts is a risk register.

The risk register usually contains at least 100 risks. Many of these systems have closer to 200 risks identified.

Top management is completely baffled about why they need to spend their time paying any attention to such activity. If you ask them anything about risk or risk management at the end of the year, you will often find that they cannot recall anything specific about the process.

The COSO process seems to be totally a Loss Controlling approach to ERM. This approach would appeal to companies and managers of companies who have the Conservator risk attitude. Riskviews has found that a small minority of insurance company management have the Conservator risk attitude and that almost zero insurance firms are managed with a Conservator risk approach. That is another way of saying that COSO does not fit well with insurance company management approaches.

ISO 31000 is new risk management standard that was developed from the Australia/New Zealand standards that have been used and improved over the past 15 years. The following post gives a discussion of the differences between the two.

ISO 31000 does not clearly fall into the Loss Controlling category of ERM approach. It seems to seek to be in the Risk Steering camp. Which makes it much more applicable to insurers, many of which are managed with the Manager risk approach.

Riskviews main complaint about ISO 31000 is with the degree to which it emphasizes endless process over actual risk treatment action.

ISO 31000 encourages firms to adopt what Riskviews calls a Risk Management Entertainment System. Sadly, this is not a joke. Many firms will proudly present a show and tell about their reports and meetings and org charts and policy statements when asked about ERM and be flummoxed when asked about any actual risk treatment that is taking place and where it fits into the risk management system.

That is a major problem with detailed prescriptive systems like ISO 31000. While that document says nearly all the right things, the people who pick it up and seek to apply it quite often do not get the sense of what is IMPORTANT and what is less important in developing an ERM system.

In fact, what is actually IMPORTANT is that ERM helps management to focus on the important risks of the firm and making the right moves so that exposures to those risks are of the size that they would choose. Human beings have limitations and those limitations would suggest that these important risks need to number less than 10 if they are really going to get top management attention.

And in practice, the people who implement COSO and ISO 31000 risk management systems often miss that most important objective.

The first two conditions call for a company to demonstrate that it will honor its promises to pay indemnification benefits promptly and fully, i.e. that it is and will remain solvent and have the capital on hand to continue to conduct ‘business as usual’ in the future. They call for a company to determine how much risk capital it needs to ensure its credit worthiness, in relation to risks that it assumes to execute its strategic plan.

The third condition calls for a company to sustain and even enhance its credibility with capital market investors, to support its market valuation, keep its cost of capital and thus also the cost of its risk capacity competitive. If the level and stability of its earnings did not meet the requirements of capital market investors, a company could lose investors’ support. This could cause its valuation multiples to decline and the cost of its capital and risk capacity to increase.

Together, these three conditions require a company to establish a capacity management framework (focused on insuring solvency and the quality of promises made to policyholders) aligned with its business strategy management process (focused on meeting shareholders’ expectations for financial performance). Note, however, that no such alignment can enable a company to create value for its shareholders unless the company is positioned to achieve a competitive advantage in attracting, serving and retaining customers. It thus behooves management always to verify that their company:

• Can achieve a competitive advantage based on superior risk insights, service capabilities, deal flow generation, cost of capital and operating efficiencies

• Provide products that attract, serve and retain customers
• Has the capital required to sustain the ratings it needs to compete and the willingness to assume the resulting performance volatility
• Has the organizational capabilities needed to manage and control underwriting, claim processing, investment and risk management activities
• Has the insights and processes needed to ensure pricing discipline and alignment of management and shareholders’ interests.

Based on such an explicit understanding of its strategic position and capabilities relative to its competitors’, alignment of risk capacity management and business strategy management calls for a company to integrate relevant strategy considerations outlined above in the components of its risk strategy, especially:

• Risk policy, specifying risks that will be assumed to accomplish financial objectives while meeting risk tolerance constraints of external stakeholders
• Risk appetite, defined as the amount of risk capacity that can be deployed/utilized in pursuit of its strategy in light of the company’s total risk capacity
• Risk limits, which reflect its risk policy and appetite for risk and control risk taking in the development and execution of its operating plans and budgets

Based on projections of financial results expected under a particular risk capacity deployment strategy and business strategy, embodied in a set of risk limits, a company can ascertain whether its plan can meet the return objectives and risk tolerances of its stakeholders. As needed, it can also seek to identify and assess alternative strategies that may provide superior trade-offs between risk and return that may call for changes in risk policy, risk appetite, risk limits and business strategy (the iterative process by which such enhancements can be identified and developed is shown on Figure 2).

Figure 1 displays how solvency risk concerns of policyholders and other credit-focused stakeholders and value risk concerns of shareholders, expressed as risk tolerance constraints, at stated confidence levels and over a defined time period, help to frame a company’s risk strategy. The components of the risk strategy (i.e. risk appetite, risk policy and risk limits) reflect boundaries set on the deployment of a company’s risk capacity by i) the amount of the (paid-up) capital available to support risk assumption and accumulation, and ii) the cost of this capital, generally measured by shareholders’ total return requirement (TSR).

Figure 2 demonstrates how a company can align its business strategy, risk capacity and risk strategy management processes to meet the solvency risk concerns of policyholders and the earnings (value) concerns of shareholders. It demonstrates the distinct places of risk capacity, risk appetite, risk policy, risk limits in the business strategy and risk strategy management processes and highlights the centrality of risk limits to the integration and alignment of these processes.

Managing conflicting agendas

Financial risks generated by, or in connection with, the issuance of insurance contracts manifest themselves in the volatilities of a company’s operating cash-flows and reported earnings that are of concern to i) policyholders and other stakeholders with an interest in its credit worthiness and solvency (rating agencies and regulators) and ii) shareholders with a focus on risk to the value of their investment. These two groups of stakeholders have conflicting views about how a company can best address their risk concerns.

Policyholders, as the most senior creditors, view increases in capital as added protection and a natural protection against the risk of default by a company. By contrast, risk to value for shareholders caused by the volatility of financial results cannot be remedied efficiently by addition of capital (i.e. increases in risk capacity). First, other things being equal, an increase in capital would need to be very large to generate enough income to mitigate earnings volatility sufficiently. Second, such increase would so dilute returns that it would undermine rather than support valuation multiples. Consequently, shareholders look to insurance companies to manage and control the volatility of their cash-flows and earnings through development and implementation of appropriate risk policies designed to limit the volatility of their financial results.

In addition, however, shareholders also concern themselves with declines in relative valuation multiples. Such declines result generally from the incidence of strategic risks, i.e. events that reduce a company’s future earnings or revenue growth prospects by causing i) its competitive position to erode or ii) changes in its operating environment that undermine the viability of its business model. Shareholders expect companies to support their valuation multiples and protect them from strategic risks by i) building flexibility and real options in their strategies, ii) transferring or avoiding risks that cannot be mitigated, iii) pursuing strategies that can support their expectations for profitability and growth.

Conclusion

Based on the framework for integration of risk management and business strategy outlined above, an insurance company could develop a road-map to:
• Align its business strategy with the risk tolerances of its stakeholders as well as the amount and cost of its risk capacity
• Develop the decision frameworks and analytical capabilities needed to integrate its risk and business strategy management processes
By following such a road-map, an insurance company could develop and execute business and risk strategies that enhance its financial performance and its relative market valuation.

Jean-Pierre Berliet
(203) 247-6448
jpberliet@att.net

February 14, 2011

Note: This article is abstracted from the “Risk Management and Business Strategy in P/C Insurance Companies” briefing paper published by Advisen (www.advisen.com) and available at the Corner Store.

When someone sits atop a government for 30 years, it is easy to assume that next week they will still be on top.

Until that is no longer true.

When there is a regime change, it happens because the forces that were in a stable equilibrium shift in some way so that they can no longer support a continuation of the past equilibrium. In hindsight, it is possible to see that shift. But the shift is often not so obvious in advance.

Again, as when the Soviet Union fell apart, the intelligence services were seemingly taken by surprise.

But is there really any difference between the two types of regime change? Is it any easier to actually notice an impending regime change on a modeled risk than an impending political risk?

Why are we so bad at seeing around corners?

In the area of public health, it is well known that diseases follow a standard path called an S curve. That is the path of a curve plotting the number of people infected by a disease over time. The path has a slight upward slope at first then the slope gets much, much steeper and eventually it slows down again.

When a new disease is noticed, some observers who come upon information about the disease during that middle period during the rapid upward slope will extrapolate and predict that the disease incidence will grow to be much higher than it ever gets.

The reason for the slowdown in the rate of growth of the disease is because diseases are most often self limiting because people do not usually get the disease twice. Diseases are spread by contact between a carrier and an uninfected person. In the early stages of a disease, the people who make the most contacts with others are the most likely to become infected and themselves become carriers. Eventually, they all lose the ability to be carriers and become immune and the number of times that infected carriers come into contact with uninfected persons starts to drop. Eventually, such contacts become rare.

It is relatively easy to build a model of the progression of a disease. We know what parameters are needed. We can easily estimate those that we cannot measure exactly and can correct our estimates as we make observations.

We start out with of model of a disease that assumes that the disease is not permanent.

We plan for regime change.

Perhaps that is what we need for the rest of our models. We should start out by assuming that no pattern that we observe is permanent. That each regime carries the seeds of its own destruction.

If we start out with that assumption, we will look to build the impermanence of the regime into our models and look for the signs that will show that whatever guesses we had to make initially about the path of the next regime change can be improved.

Because when we build a model that does not include that assumption, we do not even think about what might cause the next regime change. We do not make any preliminary guesses. The signs that the next change is coming are totally ignored.

In the temperate zones where four very different seasons are the norm, the signs of the changes of seasons are well known and widely noticed.

The signs of the changes in regimes of risks can be well known and widely noticed as well, but only if we start out with a model that allows for regime changes.

Like this:

Last week the Seattle Times had an incredible story about the ultimate costs of a failed outsourcing strategy at Boeing.

The story quotes Wall Street sources to say that ultimately the failure of outsourcing partners created $12 Billion of extra costs on a project initially planned to cost $5 Billion.

“We spent a lot more money in trying to recover than we ever would have spent if we’d tried to keep the key technologies closer to home,” said Boeing Commercial Airplanes Chief Jim Albaugh.

The story is probably one extreme of bad outsourcing. In many cases it works out well. But it is quite likely that firms often make the mistake of ignoring or downplaying risk and uncertainty and only look at cost savings when they make outsourcing decisions.

One simple way to look at the uncertainty is with the 5 point scale from “Getting a Handle on Uncertainty“. But perhaps because of the “one off” nature of outsourcing, one point should be added to the uncertainty score.

But doubtless, firms who get “comfortable” with outsourcing, get comfortable with a higher degree of uncertainty.

Like this:

The global financial crisis has reduced the market capitalization and price to book ratios of property/casualty insurance companies dramatically. According to a study published by Bank of America Merrill Lynch in August 2009, the S&P P/C index was trading at a 1.0 price/book ratio at that time, sharply down from a 1.4 average over the last three years and a 1.6 over the last 20 years. The updated historical valuations report published in August 2010 indicates that the S&P P/C index was trading at a 1.1 price/book ratio at that time. Excluding Progressive, companies in the Merrill Lynch index were trading then at an average price/book ratio of .89. This data suggests that the industry lost credibility with investors in 2008-2009 and has failed so far to persuade them that it is positioned to resume growing profitably in an uncertain rate environment.

Ironically, the crisis started just a few years after rating agencies began to include an assessment of the effectiveness of enterprise risk management (ERM) in their rating decisions and after they had given most insurers passing grades or above. It is clear now that ERM did not prevent a number of insurance companies from overextending themselves. Investors have concluded that risk management failed broadly and is disconnected from business strategy. They are justified in wondering whether risk management frameworks and processes of insurance companies will be more effective in the present lower volume and lower rate environment. Under such expected market conditions, investors are concerned that companies might lack discipline and write business at inadequate rates in order to achieve their premium volume objectives.

More generally, investors are concerned that strategic planning frameworks of many insurance companies are “expected value” focused, and are thus myopic about risk. In addition, investors are also aware that design weaknesses of ERM frameworks cause many executives i) to distrust “ex-post” decision signals provided by risk adjusted management performance metrics and ii) often to ignore resulting decision signals to redeploy capital or optimize asset allocation and reinsurance strategies. The existence of significant weaknesses in strategic planning and ERM frameworks and management processes explains why establishing tight and credible linkages between ERM and business strategy decisions is problematic and why ex-post measurement of risk adjusted performance is not viewed by investors as helpful. Just like the cleaning up of risks that manifested themselves, such as catastrophes and investment losses, ex-post risk management accomplishes only little, too late, and at great cost.

To respond to concerns of investors, insurance companies need to make their strategic planning and ERM frameworks capable of addressing credibly, and in a mutually consistent manner, the risk management issues raised and business strategy decisions impacted by the asymmetrical distribution of the financial results of insurance businesses. Investors believe, in particular, that risk management would create more value if i) risk insights guided the management and deployment of a company’s risk capacity “ex-ante”, that is before insurance policies were bound or investment decisions were made, and ii) strategy decisions about risk assumption and accumulations always took into consideration the adequacy of insurance rates and changes in market volume

These considerations call for the integration of value and risk governance frameworks and management processes in insurance companies. In the absence of such integration, there will be an enduring disconnect between strategy and risk management, and neither value based management (VBM) nor ERM will be credible or effective.

To be effective, the integration framework must recognize that, in insurance businesses, the cost of risk is known only after contracts have expired and related liabilities have run off. This unique peculiarity of loss costs, the raw material of insurance businesses, makes ex-post risk management a contradiction in terms. It places risk issues at the core of strategy development and execution. To achieve the needed integration of ERM and VBM, insurance companies must be careful to develop and establish distinct but tightly aligned:

Governance frameworks for VBM and ERM, that specify the respective roles and responsibilities of the Board of Directors, external advisers, and Senior Management with regard to the development and approval of a company’s business mission and strategic plan, including i) the evaluation of risk return trade-offs, ii) the setting of financial objectives, iii) the oversight of strategy execution, and iv) accountability for results

Managerial frameworks and processes capable of ensuring alignment of business strategy and risk management decisions across risk types, operational activities and products or markets.

Risk management must not be an afterthought in insurance businesses. An insurance company needs to establish “ex-ante” risk management as an essential foundation for the effective integration of its VBM and ERM frameworks. Ex-ante risk management is based on the observation that, together, risk assumption and accumulation functions in insurance companies are analogous to production in industrial companies. A properly designed risk management framework that supports “ex-ante” management of risk exposure accumulations should help an insurance company:

Achieve loss costs and earnings volatility advantages

Reduce both the amount and the cost of the capital they require

Support effective development and execution of its business strategy

Such possibilities make “ex-ante” risk management concepts and tools and risk capacity management as important to business strategies of insurance companies as scale, equipment and machinery specialization, flexible automation and outsourcing, i.e. production strategy elements, are to business strategies of industrial companies. Notably, ex-ante risk management requires insurance companies to develop and use insights about risks that can provide a competitive advantage. Unlike cost reduction, product or service enhancements or pricing initiatives, risk insights and the underlying ability to compete on analytics, cannot be easily or rapidly duplicated by competitors. They can thus enable insurance companies to achieve more enduring margin improvements and escape for a while the strategic stalemate conditions under which they operate in many businesses.

To restore their credibility, insurance companies need to persuade investors that “ex-ante” risk management will support effective strategy implementation and drive risk capacity deployment, thereby improving financial performance. To accomplish the required alignment of risk capacity management, risk taking and business strategy management, companies need to establish the following three distinct but tightly integrated frameworks for:

Measuring and assessing risk capacity utilization

Addressing financial risk concerns of external stakeholders

Deploying and leveraging risk capacity.

Integration of these frameworks would be effected through development of risk limits by line of business and business segment. Such risk limits would provide an insurance company a means to i) drive and control the deployment of its risk capacity toward uses that are projected to meet the return expectations and risk tolerances of its external stakeholders, ii) develop performance metrics needed to assess risk and return trade-offs of alternative strategies and align risk capacity management and business strategies and iii) improve risk capacity utilization and enhance financial performance.

To establish and use these frameworks, insurance companies need to integrate risk insights that emerge at the intersection of actuarial analysis, underwriting expertise, strategy analysis and financial simulation.